Phish Day Out

The phishers out there are spreading their nets wider and wider. First it was the McPhish, where scammers were offering $75 credit if you filled in a survey about your McDonalds eating habits, and then it was the Phish Day Out (Big Day Out phish).

For all you non-Aussies asking yourself what the Big Day Out is, well the BDO is one of Australia’s largest music festivals that tours around the country around the end of January finishing up here in Perth early February. The past few years I’ve seen some terrific bands at the BDO, including some of my all time favourite acts, Tool, Rage Against The Machine, The Mars Volta, The Killers and a whole bunch more. From the BDO press release:

Big Day Out has become aware of an internet phishing scam whereby individuals have received an email claiming to be on behalf of Ticketmaster and Facebook, stating that the recipient has won VIP passes to the Big Day Out.

The email then requests that the recipient provide personal identification information including passport, birth certificate, drivers licence, health care card, Medicare card or bank statements.

This email is fraudulent and should not be responded to.
It is not authorised by the Big Day Out, Ticketmaster or Facebook.

What disturbs me about this is that to my knowledge this has been one of the first targeted phishing scams in Australia that focuses on a single event and is solely interested in gathering Personally Identifying Information (PII). They’re not looking to directly take your credit card details (although I’m sure they’re looking for that too), but to gather all the other information they need in take over your identity and therefore allow them to open bank accounts and all sorts of other nasty ID theft things (wiki).

Whether it’s consumers wising up to scams and not divulging their credit card information over the Internet, or the scammers are making better money on-selling PII as opposed to CC numbers, these types of scams will continue to increase. Not just in the information they’re trying to pilfer, but their use of current events.

For all you people out there who don’t know this already (I’m not entirely sure who you are, but there’s no harm in repeating the message):

You should NEVER give out your personal or bank account details to somebody you don’t know and trust.

Don’t be fooled by an email that looks legitimate or appears to link to a genuine website.

Please take care with your personal information!

For all you Aussies, check out www.scamwatch.gov.au.

Posted by Christian Posted in: Privacy, Security No Comments » 7 December 2008

It’s not a vulnerability when it’s a feature!

So I just read about Vanishd from Lifehacker, and as far as I can tell they have found a legitimate use for UI Redressing (ref to RSnake, Jeremiah Grossman and the GNUCITIZEN mob). Just.. Wow! All the conflicting thoughts and emotions. I mean finally, I’ll have some way to look at porn at work through a peep hole that will confuse my colleagues and bosses (and of course they will never ever see it on their proxy logs!).

On the other hand, who’s to say that they won’t have some layer set between mine (-2) and the fake ppt slide I’m supposedly working on (0)? At this time this is the only type of vulnerability I can think of. All I know is, no way in hell I’d be wanting to browse to any site that contains any sensitive information!

Posted by Christian Posted in: Privacy, Security, Web Development No Comments » 19 October 2008

Backup tapes are still storing data in the clear?

I shouldn’t be surprised, I really shouldn’t be shocked at all when this popped up in my Reader from www.pogowasright.org. Yet another lost backup tape:

We recently learned that individual employees violated established procedures during a routine exercise and lost some supplier’s and other individual’s data which was contained on a system backup tape. Our investigation indicates that some of your personal information, including your Social Security number, name, and address may have been included in the lost backup tape. However, it is important to note that absolutely no customer or guest data was exposed.

The article does state that they don’t know whether or not the tapes were encrypted (read: protected), I hope that they were. Similar to my rant on utilising 2FA for online banking transactions (i.e. there are No Excuses), there is no excuse for not protecting your backup tapes when they are handed over to a third party.

I’m fairly sure that most, if not all, backup software provides an option for encryption, add to that I’m also sure that this functionality whilst providing protection, also provides compression. It’s like putting on armour that also makes you loose weight.

Another insight that I found quite interesting was the disclosure notification that was submitted to the New Hampshire AG, Kelly Ayotte. It was only 8 days ago that I read an almost identical document, also from Pogo, directed to Mrs Ayotte. It appears that in times of losing PII, apart from the identity thieves themselves the only people benefiting are those companies that offer ID protection services, such as ID Experts.

The common services that ID Experts offered in these two instances were:

• Credit monitoring
• Access to educational material
• A fraud representative that they can talk to (recovery advocate?)
• Insurance reimbursements

Does anyone know how effective these companies/services are?

Posted by Christian Posted in: Privacy, Profession, Risk, Security No Comments » 18 October 2008